On 9/13/06, Steve Willis <stevewillis@optusnet.com.au> wrote:[color=blue]
>
> We currently run a pair of Nokia ip350's in a HA pair. We have a public
> address for each of the firewalls plus one for the VIP. We have been
> successfully running SecureClient terminating on the VIP address without =[/color]
any[color=blue]
> problems. However we are about to migrate to a new ISP that wants us to
> allocate private addresses to the firewalls and the VIP and they will rou=[/color]
te[color=blue]
> from the newly allocated public address range to us.
>
> I am unable to see how SecureClient will work in this way. Our ISP assure=[/color]
me[color=blue]
> that this will work using NAT (they tell me this works on their PIX's). I
> managed to track down one document on the net that basically says that
> Checkpoint supplied an unsupported workaround, but even this will not work
> in a HA configuration, and I am certainly not interested in an unsupported
> option. I have agreed to try and get this working on the proviso that if =[/color]
it[color=blue]
> does not we will get public addressing for the firewalls, but so far I ha=[/color]
ve[color=blue]
> been unsuccessful. Does anyone know if this is possible, and if so, any
> pointers?
>[/color]

If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster is
"Statically NATed" behind NAT.

I don't know what unsupported workaround you are talking about, but if you =
are
referring to adding a fake external interface, this should work if you
enable the
dynamic interface resolving mechanism. :-)